← Back

Drobo

drobo

15 CVEs • 2 products

Products (2)

Click to collapse
Toggle
5n2 Firmware
5n2_firmware
15 CVEs
5n2
0 CVEs

CVEs (15)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2018-14705
1Drobo
15n2 Firmware
Nov 21, 2024
Feb 24, 2020
N/A· v4
9.8 CRITICAL· v3
10.0 HIGH· v2
In Drobo 5N2 4.0.5, all optional applications lack any form of authentication/authorization validation. As a result, any user capable of accessing the device over the network may interact with and control these applicati...Show more
In Drobo 5N2 4.0.5, all optional applications lack any form of authentication/authorization validation. As a result, any user capable of accessing the device over the network may interact with and control these applications. This not only poses a severe risk to the availability of these applications, but also poses severe risks to the confidentiality and integrity of data stored within the applications and the device itself.Show less
CVE-2018-14709
1Drobo
15n2 Firmware
Nov 21, 2024
Dec 3, 2018
N/A· v4
9.8 CRITICAL· v3
5.0 MEDIUM· v2
Incorrect access control in the Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to bypass authentication due to insecure token generation.
CVE-2018-14708
1Drobo
15n2 Firmware
Nov 21, 2024
Dec 3, 2018
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
An insecure transport protocol used by Drobo Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to intercept network traffic.
CVE-2018-14707
1Drobo
15n2 Firmware
Nov 21, 2024
Dec 3, 2018
N/A· v4
7.5 HIGH· v3
7.8 HIGH· v2
Directory traversal in the Drobo Pix web application on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to upload files to arbitrary locations.
CVE-2018-14706
1Drobo
15n2 Firmware
Nov 21, 2024
Dec 3, 2018
N/A· v4
9.8 CRITICAL· v3
10.0 HIGH· v2
System command injection in the /DroboPix/api/drobopix/demo endpoint on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the payload in a POST request.
CVE-2018-14704
1Drobo
15n2 Firmware
Nov 21, 2024
Dec 3, 2018
N/A· v4
6.1 MEDIUM· v3
4.3 MEDIUM· v2
Cross-site scripting in the MySQL API error page in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via a malformed URL path.
CVE-2018-14703
1Drobo
15n2 Firmware
Nov 21, 2024
Dec 3, 2018
N/A· v4
9.8 CRITICAL· v3
5.0 MEDIUM· v2
Incorrect access control in the /mysql/api/droboapp/data endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve the MySQL database root password.
CVE-2018-14702
1Drobo
15n2 Firmware
Nov 21, 2024
Dec 3, 2018
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
Incorrect access control in the /drobopix/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information.
CVE-2018-14701
1Drobo
15n2 Firmware
Nov 21, 2024
Dec 3, 2018
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
System command injection in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter.
CVE-2018-14700
1Drobo
15n2 Firmware
Nov 21, 2024
Dec 3, 2018
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
Incorrect access control in the /mysql/api/logfile.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve MySQL log files via the "name" URL parameter.
CVE-2018-14699
1Drobo
15n2 Firmware
Nov 21, 2024
Dec 3, 2018
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
System command injection in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter.
CVE-2018-14698
1Drobo
15n2 Firmware
Nov 21, 2024
Dec 3, 2018
N/A· v4
6.1 MEDIUM· v3
4.3 MEDIUM· v2
Cross-site scripting in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the "username" URL parameter.
CVE-2018-14697
1Drobo
15n2 Firmware
Nov 21, 2024
Dec 3, 2018
N/A· v4
6.1 MEDIUM· v3
4.3 MEDIUM· v2
Cross-site scripting in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the username URL parameter.
CVE-2018-14696
1Drobo
15n2 Firmware
Nov 21, 2024
Dec 3, 2018
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
Incorrect access control in the /mysql/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information.
CVE-2018-14695
1Drobo
15n2 Firmware
Nov 21, 2024
Dec 3, 2018
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
Incorrect access control in the /mysql/api/diags.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve diagnostic information via the "name" URL parameter.